[Triumf-linux-managers] Re: Distributed Linux SSH dictionary attack
Andrew Daviel
advax at triumf.ca
Thu Apr 16 19:27:43 PDT 2009
On Thu, 16 Apr 2009, Andrew Daviel wrote:
> At this point I am not sure what the risk is. Unlike the normal dictionary
> attacks, which target root, this is trying hundreds of names.
> The attacking machines appear to be Linux. I am not sure if they have been
> compromised by this attack itself (guessing passwords), or by some other
> method.
I talked to an admin at one of the attacking sites. It seems that they
were compromised via a vulnerability in "roundcube" webmail, and the
intruder dropped an SSH scanner on them, controlled via IRC.
So it's not a new worm or global attack, it's someone targetting us using
a small botnet. Which I suppose is good news - it's going to stop, not
get worse.
I may in future try to filter ssh sitewide using the list from
http://danger.rulez.sk/projects/bruteforceblocker/blist.php
The scan seems to try about 5 passwords per name. I now estimate the risk
as minimal providing that reasonably strong passwords are used (no
guest/guest or adam/adam_). It has not yet hit my machine where I am
logging failed passwords, so I can't see what it is trying.
There is no need to implement the iptables rules in the last message.
However, if your local policy locks down ssh access already, fine.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list